From 4d9736e80c16416ede823cba4fc54af9e735ed5d Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 17 May 2022 05:12:41 -0400 Subject: [PATCH] import conntrack-tools-1.4.5-10.el9_0 --- .conntrack-tools.metadata | 1 + .gitignore | 1 + ...01-conntrackd-search-for-RPC-headers.patch | 45 ++ ...warning-when-compiling-against-libti.patch | 59 ++ ...mmented-out-macros-from-configure.ac.patch | 60 ++ SOURCES/0004-Makefile.am-Use-instead-of.patch | 70 +++ SOURCES/0005-nfct-remove-lazy-binding.patch | 534 ++++++++++++++++++ SOURCES/conntrackd.conf | 419 ++++++++++++++ SOURCES/conntrackd.service | 13 + SPECS/conntrack-tools.spec | 291 ++++++++++ 10 files changed, 1493 insertions(+) create mode 100644 .conntrack-tools.metadata create mode 100644 .gitignore create mode 100644 SOURCES/0001-conntrackd-search-for-RPC-headers.patch create mode 100644 SOURCES/0002-helpers-Fix-for-warning-when-compiling-against-libti.patch create mode 100644 SOURCES/0003-build-remove-commented-out-macros-from-configure.ac.patch create mode 100644 SOURCES/0004-Makefile.am-Use-instead-of.patch create mode 100644 SOURCES/0005-nfct-remove-lazy-binding.patch create mode 100644 SOURCES/conntrackd.conf create mode 100644 SOURCES/conntrackd.service create mode 100644 SPECS/conntrack-tools.spec diff --git a/.conntrack-tools.metadata b/.conntrack-tools.metadata new file mode 100644 index 0000000..71fb4e6 --- /dev/null +++ b/.conntrack-tools.metadata @@ -0,0 +1 @@ +7d03a8d6d9ef56a9980ebfe25a282123807f8dcb SOURCES/conntrack-tools-1.4.5.tar.bz2 diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..a58e1c7 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/conntrack-tools-1.4.5.tar.bz2 diff --git a/SOURCES/0001-conntrackd-search-for-RPC-headers.patch b/SOURCES/0001-conntrackd-search-for-RPC-headers.patch new file mode 100644 index 0000000..5ad0d8f --- /dev/null +++ b/SOURCES/0001-conntrackd-search-for-RPC-headers.patch @@ -0,0 +1,45 @@ +From 113ed506dc85e5c8c6f1a9971583e1a8656ba0ae Mon Sep 17 00:00:00 2001 +From: Ash Hughes +Date: Mon, 27 May 2019 21:59:23 +0100 +Subject: [PATCH] conntrackd: search for RPC headers + +Attempts to get RPC headers from libtirpc if they aren't otherwise +available. + +Signed-off-by: Ash Hughes +Signed-off-by: Pablo Neira Ayuso +(cherry picked from commit 5ededc4476f27e74f49f37ce646dabc1def7d4dc) +--- + configure.ac | 2 ++ + src/helpers/Makefile.am | 2 +- + 2 files changed, 3 insertions(+), 1 deletion(-) + +diff --git a/configure.ac b/configure.ac +index 048d261ac1088..cb9659f4feeb4 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -50,6 +50,8 @@ AC_ARG_ENABLE([systemd], + AS_HELP_STRING([--enable-systemd], [Build systemd support]), + [enable_systemd="$enableval"], [enable_systemd="no"]) + ++AC_CHECK_HEADER([rpc/rpc_msg.h], [AC_SUBST([LIBTIRPC_CFLAGS],'')], [PKG_CHECK_MODULES([LIBTIRPC], [libtirpc])]) ++ + PKG_CHECK_MODULES([LIBNFNETLINK], [libnfnetlink >= 1.0.1]) + PKG_CHECK_MODULES([LIBMNL], [libmnl >= 1.0.3]) + PKG_CHECK_MODULES([LIBNETFILTER_CONNTRACK], [libnetfilter_conntrack >= 1.0.7]) +diff --git a/src/helpers/Makefile.am b/src/helpers/Makefile.am +index 05801bc7f7037..51e2841a7646a 100644 +--- a/src/helpers/Makefile.am ++++ b/src/helpers/Makefile.am +@@ -31,7 +31,7 @@ ct_helper_mdns_la_CFLAGS = $(HELPER_CFLAGS) + + ct_helper_rpc_la_SOURCES = rpc.c + ct_helper_rpc_la_LDFLAGS = $(HELPER_LDFLAGS) +-ct_helper_rpc_la_CFLAGS = $(HELPER_CFLAGS) ++ct_helper_rpc_la_CFLAGS = $(HELPER_CFLAGS) @LIBTIRPC_CFLAGS@ + + ct_helper_tftp_la_SOURCES = tftp.c + ct_helper_tftp_la_LDFLAGS = $(HELPER_LDFLAGS) +-- +2.34.1 + diff --git a/SOURCES/0002-helpers-Fix-for-warning-when-compiling-against-libti.patch b/SOURCES/0002-helpers-Fix-for-warning-when-compiling-against-libti.patch new file mode 100644 index 0000000..cc3a2ec --- /dev/null +++ b/SOURCES/0002-helpers-Fix-for-warning-when-compiling-against-libti.patch @@ -0,0 +1,59 @@ +From c7936a2355398fd071010e8c2da9fc44a048d1cb Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Tue, 12 Feb 2019 23:35:06 +0100 +Subject: [PATCH] helpers: Fix for warning when compiling against libtirpc + +Fix for the following warning: + +In file included from rpc.c:29: +/usr/include/tirpc/rpc/rpc_msg.h:214:52: warning: 'struct rpc_err' declared inside parameter list will not be visible outside of this definition or declaration + 214 | extern void _seterr_reply(struct rpc_msg *, struct rpc_err *); + | ^~~~~~~ + +Struct rpc_err is declared in rpc/clnt.h which also declares rpc_call(), +therefore rename the local version. + +Fixes: 5ededc4476f27 ("conntrackd: search for RPC headers") +Signed-off-by: Phil Sutter +Acked-by: Arturo Borrero Gonzalez +Acked-by: Pablo Neira Ayuso +(cherry picked from commit ea9f896ed6a9b47b3a9a32bf594f57e6f6da97df) +--- + src/helpers/rpc.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/src/helpers/rpc.c b/src/helpers/rpc.c +index 3a7b337135f04..bd24dd3269c8e 100644 +--- a/src/helpers/rpc.c ++++ b/src/helpers/rpc.c +@@ -26,6 +26,7 @@ + + #include + ++#include + #include + #include + #define _GNU_SOURCE +@@ -114,8 +115,8 @@ nf_nat_rpc(struct pkt_buff *pkt, int dir, struct nf_expect *exp, + #define ROUNDUP(n) ((((n) + 3)/4)*4) + + static int +-rpc_call(const uint32_t *data, uint32_t offset, uint32_t datalen, +- struct rpc_info *rpc_info) ++rpc_parse_call(const uint32_t *data, uint32_t offset, uint32_t datalen, ++ struct rpc_info *rpc_info) + { + uint32_t p, r; + +@@ -393,7 +394,7 @@ rpc_helper_cb(struct pkt_buff *pkt, uint32_t protoff, + } + + if (rm_dir == CALL) { +- if (rpc_call(data, offset, datalen, rpc_info) < 0) ++ if (rpc_parse_call(data, offset, datalen, rpc_info) < 0) + goto out; + + rpc_info->xid = xid; +-- +2.34.1 + diff --git a/SOURCES/0003-build-remove-commented-out-macros-from-configure.ac.patch b/SOURCES/0003-build-remove-commented-out-macros-from-configure.ac.patch new file mode 100644 index 0000000..869e876 --- /dev/null +++ b/SOURCES/0003-build-remove-commented-out-macros-from-configure.ac.patch @@ -0,0 +1,60 @@ +From 456dcededa381afcba0d29332517bd941cfed6a6 Mon Sep 17 00:00:00 2001 +From: Jeremy Sowden +Date: Sat, 25 Sep 2021 16:10:30 +0100 +Subject: [PATCH] build: remove commented-out macros from configure.ac + +This code has been commented out since at least 2007. + +Signed-off-by: Jeremy Sowden +Signed-off-by: Pablo Neira Ayuso +(cherry picked from commit 3184d9936329dafbc2a24f546224a44f66d975b5) +(cherry picked from commit 9ec53c524d1201e6a9b2feca796ffbe2e5d1b743) +--- + configure.ac | 25 ------------------------- + 1 file changed, 25 deletions(-) + +diff --git a/configure.ac b/configure.ac +index cb9659f4feeb4..5388054e64a58 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -75,37 +75,12 @@ AM_CONDITIONAL([HAVE_SYSTEMD], [test "x$enable_systemd" = "xyes"]) + + AC_CHECK_HEADERS([linux/capability.h],, [AC_MSG_ERROR([Cannot find linux/capabibility.h])]) + +-# Checks for libraries. +-# FIXME: Replace `main' with a function in `-lc': +-dnl AC_CHECK_LIB([c], [main]) +-# FIXME: Replace `main' with a function in `-ldl': +- + AC_CHECK_HEADERS(arpa/inet.h) +-dnl check for inet_pton + AC_CHECK_FUNCS(inet_pton) + +-# Checks for header files. +-dnl AC_HEADER_STDC +-dnl AC_CHECK_HEADERS([netinet/in.h stdlib.h]) +- +-# Checks for typedefs, structures, and compiler characteristics. +-dnl AC_C_CONST +-dnl AC_C_INLINE +- + # Let nfct use dlopen() on helper libraries without resolving all symbols. + AX_CHECK_LINK_FLAG([-Wl,-z,lazy], [AC_SUBST([LAZY_LDFLAGS], [-Wl,-z,lazy])]) + +-# Checks for library functions. +-dnl AC_FUNC_MALLOC +-dnl AC_FUNC_VPRINTF +-dnl AC_CHECK_FUNCS([memset]) +- +-dnl AC_CONFIG_FILES([Makefile +-dnl debug/Makefile +-dnl debug/src/Makefile +-dnl extensions/Makefile +-dnl src/Makefile]) +- + if test ! -z "$libdir"; then + MODULE_DIR="\\\"$libdir/conntrack-tools/\\\"" + CFLAGS="$CFLAGS -DCONNTRACKD_LIB_DIR=$MODULE_DIR" +-- +2.34.1 + diff --git a/SOURCES/0004-Makefile.am-Use-instead-of.patch b/SOURCES/0004-Makefile.am-Use-instead-of.patch new file mode 100644 index 0000000..c8e161e --- /dev/null +++ b/SOURCES/0004-Makefile.am-Use-instead-of.patch @@ -0,0 +1,70 @@ +From 1de80cc4b7782179dc392ca17bbd309655b905b2 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Mon, 11 Nov 2019 18:02:49 +0100 +Subject: [PATCH] Makefile.am: Use ${} instead of @...@ + +Referencing to variables using @...@ means they will be replaced by +configure. This is not needed and may cause problems later. + +Suggested-by: Jan Engelhardt +Signed-off-by: Phil Sutter +Acked-by: Arturo Borrero Gonzalez +Acked-by: Pablo Neira Ayuso +(cherry picked from commit f09b07f26c2bc15f59e64cc393c003966d7ca217) +--- + Makefile.am | 2 +- + src/Makefile.am | 2 +- + src/helpers/Makefile.am | 4 ++-- + 3 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/Makefile.am b/Makefile.am +index f64d60438d411..df4c0cbf71664 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -7,7 +7,7 @@ EXTRA_DIST = $(man_MANS) Make_global.am doc m4 tests + + SUBDIRS = extensions src + DIST_SUBDIRS = include src extensions +-LIBS = @LIBNETFILTER_CONNTRACK_LIBS@ ++LIBS = $(LIBNETFILTER_CONNTRACK_LIBS) + + dist-hook: + rm -rf `find $(distdir)/doc -name *.orig` +diff --git a/src/Makefile.am b/src/Makefile.am +index a9a868596e69c..a5b918d951327 100644 +--- a/src/Makefile.am ++++ b/src/Makefile.am +@@ -35,7 +35,7 @@ if HAVE_CTHELPER + nfct_LDADD += ${LIBNETFILTER_CTHELPER_LIBS} + endif + +-nfct_LDFLAGS = -export-dynamic @LAZY_LDFLAGS@ ++nfct_LDFLAGS = -export-dynamic ${LAZY_LDFLAGS} + + conntrackd_SOURCES = alarm.c main.c run.c hash.c queue.c queue_tx.c rbtree.c \ + local.c log.c mcast.c udp.c netlink.c vector.c \ +diff --git a/src/helpers/Makefile.am b/src/helpers/Makefile.am +index 51e2841a7646a..d851d313e6fea 100644 +--- a/src/helpers/Makefile.am ++++ b/src/helpers/Makefile.am +@@ -10,7 +10,7 @@ pkglib_LTLIBRARIES = ct_helper_amanda.la \ + ct_helper_sane.la \ + ct_helper_ssdp.la + +-HELPER_LDFLAGS = -avoid-version -module $(LIBNETFILTER_CONNTRACK_LIBS) @LAZY_LDFLAGS@ ++HELPER_LDFLAGS = -avoid-version -module $(LIBNETFILTER_CONNTRACK_LIBS) $(LAZY_LDFLAGS) + HELPER_CFLAGS = $(AM_CFLAGS) $(LIBNETFILTER_CONNTRACK_CFLAGS) + + ct_helper_amanda_la_SOURCES = amanda.c +@@ -31,7 +31,7 @@ ct_helper_mdns_la_CFLAGS = $(HELPER_CFLAGS) + + ct_helper_rpc_la_SOURCES = rpc.c + ct_helper_rpc_la_LDFLAGS = $(HELPER_LDFLAGS) +-ct_helper_rpc_la_CFLAGS = $(HELPER_CFLAGS) @LIBTIRPC_CFLAGS@ ++ct_helper_rpc_la_CFLAGS = $(HELPER_CFLAGS) $(LIBTIRPC_CFLAGS) + + ct_helper_tftp_la_SOURCES = tftp.c + ct_helper_tftp_la_LDFLAGS = $(HELPER_LDFLAGS) +-- +2.34.1 + diff --git a/SOURCES/0005-nfct-remove-lazy-binding.patch b/SOURCES/0005-nfct-remove-lazy-binding.patch new file mode 100644 index 0000000..3c829df --- /dev/null +++ b/SOURCES/0005-nfct-remove-lazy-binding.patch @@ -0,0 +1,534 @@ +From d18e2e7b13ce623da968e896c04813f9d3b8efbf Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso +Date: Tue, 8 Mar 2022 23:05:39 +0100 +Subject: [PATCH] nfct: remove lazy binding + +Since cd5135377ac4 ("conntrackd: cthelper: Set up userspace helpers when +daemon starts"), userspace conntrack helpers do not depend on a previous +invocation of nfct to set up the userspace helpers. + +Move helper definitions to nfct-extensions/helper.c since existing +deployments might still invoke nfct, even if not required anymore. + +This patch was motivated by the removal of the lazy binding. + +Phil Sutter says: + +"For security purposes, distributions might want to pass -Wl,-z,now +linker flags to all builds, thereby disabling lazy binding globally. + +In the past, nfct relied upon lazy binding: It uses the helper objects' +parsing functions without but doesn't provide all symbols the objects +use." + +Acked-by: Phil Sutter +Signed-off-by: Pablo Neira Ayuso +(cherry picked from commit dc454a657f57a5cf143fddc5c1dd87a510c1790a) +(cherry picked from commit 4527e4fec140ff5480d4fbfb2916001d64a0f72a) +--- + configure.ac | 5 +- + include/Makefile.am | 2 +- + include/helper.h | 1 + + include/helpers/Makefile.am | 1 + + include/helpers/ftp.h | 14 +++ + include/helpers/rpc.h | 15 +++ + include/helpers/sane.h | 13 +++ + include/helpers/tns.h | 9 ++ + src/Makefile.am | 2 - + src/helpers.c | 3 +- + src/helpers/Makefile.am | 2 +- + src/helpers/ftp.c | 12 +-- + src/helpers/rpc.c | 13 +-- + src/helpers/sane.c | 10 +- + src/helpers/tns.c | 7 +- + src/nfct-extensions/helper.c | 184 ++++++++++++++++++++++++++++++++++- + 16 files changed, 246 insertions(+), 47 deletions(-) + create mode 100644 include/helpers/Makefile.am + create mode 100644 include/helpers/ftp.h + create mode 100644 include/helpers/rpc.h + create mode 100644 include/helpers/sane.h + create mode 100644 include/helpers/tns.h + +diff --git a/configure.ac b/configure.ac +index 5388054e64a58..1e444508fdc3c 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -78,15 +78,12 @@ AC_CHECK_HEADERS([linux/capability.h],, [AC_MSG_ERROR([Cannot find linux/capabib + AC_CHECK_HEADERS(arpa/inet.h) + AC_CHECK_FUNCS(inet_pton) + +-# Let nfct use dlopen() on helper libraries without resolving all symbols. +-AX_CHECK_LINK_FLAG([-Wl,-z,lazy], [AC_SUBST([LAZY_LDFLAGS], [-Wl,-z,lazy])]) +- + if test ! -z "$libdir"; then + MODULE_DIR="\\\"$libdir/conntrack-tools/\\\"" + CFLAGS="$CFLAGS -DCONNTRACKD_LIB_DIR=$MODULE_DIR" + fi + +-AC_CONFIG_FILES([Makefile src/Makefile include/Makefile include/linux/Makefile include/linux/netfilter/Makefile extensions/Makefile src/helpers/Makefile]) ++AC_CONFIG_FILES([Makefile src/Makefile include/Makefile include/helpers/Makefile include/linux/Makefile include/linux/netfilter/Makefile extensions/Makefile src/helpers/Makefile]) + AC_OUTPUT + + echo " +diff --git a/include/Makefile.am b/include/Makefile.am +index 352054e9135bd..4741b50228eb9 100644 +--- a/include/Makefile.am ++++ b/include/Makefile.am +@@ -1,4 +1,4 @@ +-SUBDIRS = linux ++SUBDIRS = linux helpers + + noinst_HEADERS = alarm.h jhash.h cache.h linux_list.h linux_rbtree.h \ + sync.h conntrackd.h local.h udp.h tcp.h \ +diff --git a/include/helper.h b/include/helper.h +index d15c1c62c0534..7353dfa9b2073 100644 +--- a/include/helper.h ++++ b/include/helper.h +@@ -56,6 +56,7 @@ extern int in4_pton(const char *src, int srclen, uint8_t *dst, int delim, const + extern int in6_pton(const char *src, int srclen, uint8_t *dst, int delim, const char **end); + + extern void helper_register(struct ctd_helper *helper); ++struct ctd_helper *__helper_find(const char *helper_name, uint8_t l4proto); + struct ctd_helper *helper_find(const char *libdir_path, const char *name, uint8_t l4proto, int flags); + + #define min_t(type, x, y) ({ \ +diff --git a/include/helpers/Makefile.am b/include/helpers/Makefile.am +new file mode 100644 +index 0000000000000..99a4257d2d061 +--- /dev/null ++++ b/include/helpers/Makefile.am +@@ -0,0 +1 @@ ++noinst_HEADERS = ftp.h rpc.h sane.h tns.h +diff --git a/include/helpers/ftp.h b/include/helpers/ftp.h +new file mode 100644 +index 0000000000000..50e2d0c97946d +--- /dev/null ++++ b/include/helpers/ftp.h +@@ -0,0 +1,14 @@ ++#ifndef _CTD_FTP_H ++#define _CTD_FTP_H ++ ++#define NUM_SEQ_TO_REMEMBER 2 ++ ++/* This structure exists only once per master */ ++struct ftp_info { ++ /* Valid seq positions for cmd matching after newline */ ++ uint32_t seq_aft_nl[MYCT_DIR_MAX][NUM_SEQ_TO_REMEMBER]; ++ /* 0 means seq_match_aft_nl not set */ ++ int seq_aft_nl_num[MYCT_DIR_MAX]; ++}; ++ ++#endif +diff --git a/include/helpers/rpc.h b/include/helpers/rpc.h +new file mode 100644 +index 0000000000000..b0b8d176fb542 +--- /dev/null ++++ b/include/helpers/rpc.h +@@ -0,0 +1,15 @@ ++#ifndef _CTD_RPC_H ++#define _CTD_RPC_H ++ ++struct rpc_info { ++ /* XID */ ++ uint32_t xid; ++ /* program */ ++ uint32_t pm_prog; ++ /* program version */ ++ uint32_t pm_vers; ++ /* transport protocol: TCP|UDP */ ++ uint32_t pm_prot; ++}; ++ ++#endif +diff --git a/include/helpers/sane.h b/include/helpers/sane.h +new file mode 100644 +index 0000000000000..1e70ff636d60d +--- /dev/null ++++ b/include/helpers/sane.h +@@ -0,0 +1,13 @@ ++#ifndef _CTD_SANE_H ++#define _CTD_SANE_H ++ ++enum sane_state { ++ SANE_STATE_NORMAL, ++ SANE_STATE_START_REQUESTED, ++}; ++ ++struct nf_ct_sane_master { ++ enum sane_state state; ++}; ++ ++#endif +diff --git a/include/helpers/tns.h b/include/helpers/tns.h +new file mode 100644 +index 0000000000000..60dcf253657fc +--- /dev/null ++++ b/include/helpers/tns.h +@@ -0,0 +1,9 @@ ++#ifndef _CTD_TNS_H ++#define _CTD_TNS_H ++ ++struct tns_info { ++ /* Scan next DATA|REDIRECT packet */ ++ bool parse; ++}; ++ ++#endif +diff --git a/src/Makefile.am b/src/Makefile.am +index a5b918d951327..9e47d2278a0d5 100644 +--- a/src/Makefile.am ++++ b/src/Makefile.am +@@ -35,8 +35,6 @@ if HAVE_CTHELPER + nfct_LDADD += ${LIBNETFILTER_CTHELPER_LIBS} + endif + +-nfct_LDFLAGS = -export-dynamic ${LAZY_LDFLAGS} +- + conntrackd_SOURCES = alarm.c main.c run.c hash.c queue.c queue_tx.c rbtree.c \ + local.c log.c mcast.c udp.c netlink.c vector.c \ + filter.c fds.c event.c process.c origin.c date.c \ +diff --git a/src/helpers.c b/src/helpers.c +index 3e4e6c8553b8a..8ca78dc113fb7 100644 +--- a/src/helpers.c ++++ b/src/helpers.c +@@ -26,8 +26,7 @@ void helper_register(struct ctd_helper *helper) + list_add(&helper->head, &helper_list); + } + +-static struct ctd_helper * +-__helper_find(const char *helper_name, uint8_t l4proto) ++struct ctd_helper *__helper_find(const char *helper_name, uint8_t l4proto) + { + struct ctd_helper *cur, *helper = NULL; + +diff --git a/src/helpers/Makefile.am b/src/helpers/Makefile.am +index d851d313e6fea..8f9c4ec556b66 100644 +--- a/src/helpers/Makefile.am ++++ b/src/helpers/Makefile.am +@@ -10,7 +10,7 @@ pkglib_LTLIBRARIES = ct_helper_amanda.la \ + ct_helper_sane.la \ + ct_helper_ssdp.la + +-HELPER_LDFLAGS = -avoid-version -module $(LIBNETFILTER_CONNTRACK_LIBS) $(LAZY_LDFLAGS) ++HELPER_LDFLAGS = -avoid-version -module $(LIBNETFILTER_CONNTRACK_LIBS) + HELPER_CFLAGS = $(AM_CFLAGS) $(LIBNETFILTER_CONNTRACK_CFLAGS) + + ct_helper_amanda_la_SOURCES = amanda.c +diff --git a/src/helpers/ftp.c b/src/helpers/ftp.c +index c3aa28485b0f3..bd3f11788cc24 100644 +--- a/src/helpers/ftp.c ++++ b/src/helpers/ftp.c +@@ -35,17 +35,9 @@ + #include + #include + +-static bool loose; /* XXX: export this as config option. */ +- +-#define NUM_SEQ_TO_REMEMBER 2 ++#include "helpers/ftp.h" + +-/* This structure exists only once per master */ +-struct ftp_info { +- /* Valid seq positions for cmd matching after newline */ +- uint32_t seq_aft_nl[MYCT_DIR_MAX][NUM_SEQ_TO_REMEMBER]; +- /* 0 means seq_match_aft_nl not set */ +- int seq_aft_nl_num[MYCT_DIR_MAX]; +-}; ++static bool loose; /* XXX: export this as config option. */ + + enum nf_ct_ftp_type { + /* PORT command from client */ +diff --git a/src/helpers/rpc.c b/src/helpers/rpc.c +index bd24dd3269c8e..83adf658521d4 100644 +--- a/src/helpers/rpc.c ++++ b/src/helpers/rpc.c +@@ -40,21 +40,12 @@ + #include + #include + ++#include "helpers/rpc.h" ++ + /* RFC 1050: RPC: Remote Procedure Call Protocol Specification Version 2 */ + /* RFC 1014: XDR: External Data Representation Standard */ + #define SUPPORTED_RPC_VERSION 2 + +-struct rpc_info { +- /* XID */ +- uint32_t xid; +- /* program */ +- uint32_t pm_prog; +- /* program version */ +- uint32_t pm_vers; +- /* transport protocol: TCP|UDP */ +- uint32_t pm_prot; +-}; +- + /* So, this packet has hit the connection tracking matching code. + Mangle it, and change the expectation to match the new version. */ + static unsigned int +diff --git a/src/helpers/sane.c b/src/helpers/sane.c +index c30f4ba18533e..5e02e4fc2c1c3 100644 +--- a/src/helpers/sane.c ++++ b/src/helpers/sane.c +@@ -38,11 +38,7 @@ + #include + #include + #include +- +-enum sane_state { +- SANE_STATE_NORMAL, +- SANE_STATE_START_REQUESTED, +-}; ++#include "helpers/sane.h" + + struct sane_request { + uint32_t RPC_code; +@@ -60,10 +56,6 @@ struct sane_reply_net_start { + /* other fields aren't interesting for conntrack */ + }; + +-struct nf_ct_sane_master { +- enum sane_state state; +-}; +- + static int + sane_helper_cb(struct pkt_buff *pkt, uint32_t protoff, + struct myct *myct, uint32_t ctinfo) +diff --git a/src/helpers/tns.c b/src/helpers/tns.c +index 2b4fed420afb0..d9c7ae693f3a7 100644 +--- a/src/helpers/tns.c ++++ b/src/helpers/tns.c +@@ -28,6 +28,8 @@ + #include + #include + ++#include "helpers/tns.h" ++ + /* TNS SQL*Net Version 2 */ + enum tns_types { + TNS_TYPE_CONNECT = 1, +@@ -57,11 +59,6 @@ struct tns_redirect { + uint16_t data_len; + }; + +-struct tns_info { +- /* Scan next DATA|REDIRECT packet */ +- bool parse; +-}; +- + static int try_number(const char *data, size_t dlen, uint32_t array[], + int array_size, char sep, char term) + { +diff --git a/src/nfct-extensions/helper.c b/src/nfct-extensions/helper.c +index 0569827612f06..fdeb94c5e5172 100644 +--- a/src/nfct-extensions/helper.c ++++ b/src/nfct-extensions/helper.c +@@ -180,7 +180,7 @@ static int nfct_cmd_helper_add(struct mnl_socket *nl, int argc, char *argv[]) + return -1; + } + +- helper = helper_find(CONNTRACKD_LIB_DIR, argv[3], l4proto, RTLD_LAZY); ++ helper = __helper_find(argv[3], l4proto); + if (helper == NULL) { + nfct_perror("that helper is not supported"); + return -1; +@@ -430,7 +430,7 @@ nfct_cmd_helper_disable(struct mnl_socket *nl, int argc, char *argv[]) + return -1; + } + +- helper = helper_find(CONNTRACKD_LIB_DIR, argv[3], l4proto, RTLD_LAZY); ++ helper = __helper_find(argv[3], l4proto); + if (helper == NULL) { + nfct_perror("that helper is not supported"); + return -1; +@@ -468,7 +468,187 @@ static struct nfct_extension helper = { + .parse_params = nfct_helper_parse_params, + }; + ++/* ++ * supported helpers: to set up helpers via nfct, the following definitions are ++ * provided for backward compatibility reasons since conntrackd does not depend ++ * on nfct anymore to set up the userspace helpers. ++ */ ++ ++static struct ctd_helper amanda_helper = { ++ .name = "amanda", ++ .l4proto = IPPROTO_UDP, ++ .policy = { ++ [0] = { ++ .name = "amanda", ++ .expect_max = 3, ++ .expect_timeout = 180, ++ }, ++ }, ++}; ++ ++static struct ctd_helper dhcpv6_helper = { ++ .name = "dhcpv6", ++ .l4proto = IPPROTO_UDP, ++ .policy = { ++ [0] = { ++ .name = "dhcpv6", ++ .expect_max = 1, ++ .expect_timeout = 300, ++ }, ++ }, ++}; ++ ++#include "helpers/ftp.h" ++ ++static struct ctd_helper ftp_helper = { ++ .name = "ftp", ++ .l4proto = IPPROTO_TCP, ++ .priv_data_len = sizeof(struct ftp_info), ++ .policy = { ++ [0] = { ++ .name = "ftp", ++ .expect_max = 1, ++ .expect_timeout = 300, ++ }, ++ }, ++}; ++ ++static struct ctd_helper mdns_helper = { ++ .name = "mdns", ++ .l4proto = IPPROTO_UDP, ++ .priv_data_len = 0, ++ .policy = { ++ [0] = { ++ .name = "mdns", ++ .expect_max = 8, ++ .expect_timeout = 30, ++ }, ++ }, ++}; ++ ++#include "helpers/rpc.h" ++ ++static struct ctd_helper rpc_helper_tcp = { ++ .name = "rpc", ++ .l4proto = IPPROTO_TCP, ++ .priv_data_len = sizeof(struct rpc_info), ++ .policy = { ++ { ++ .name = "rpc", ++ .expect_max = 1, ++ .expect_timeout = 300, ++ }, ++ }, ++}; ++ ++static struct ctd_helper rpc_helper_udp = { ++ .name = "rpc", ++ .l4proto = IPPROTO_UDP, ++ .priv_data_len = sizeof(struct rpc_info), ++ .policy = { ++ { ++ .name = "rpc", ++ .expect_max = 1, ++ .expect_timeout = 300, ++ }, ++ }, ++}; ++ ++#include "helpers/sane.h" ++ ++static struct ctd_helper sane_helper = { ++ .name = "sane", ++ .l4proto = IPPROTO_TCP, ++ .priv_data_len = sizeof(struct nf_ct_sane_master), ++ .policy = { ++ [0] = { ++ .name = "sane", ++ .expect_max = 1, ++ .expect_timeout = 5 * 60, ++ }, ++ }, ++}; ++ ++static struct ctd_helper slp_helper = { ++ .name = "slp", ++ .l4proto = IPPROTO_UDP, ++ .priv_data_len = 0, ++ .policy = { ++ [0] = { ++ .name = "slp", ++ .expect_max = 8, ++ .expect_timeout = 16, /* default CONFIG_MC_MAX + 1 */ ++ }, ++ }, ++}; ++ ++static struct ctd_helper ssdp_helper_udp = { ++ .name = "ssdp", ++ .l4proto = IPPROTO_UDP, ++ .priv_data_len = 0, ++ .policy = { ++ [0] = { ++ .name = "ssdp", ++ .expect_max = 8, ++ .expect_timeout = 5 * 60, ++ }, ++ }, ++}; ++ ++static struct ctd_helper ssdp_helper_tcp = { ++ .name = "ssdp", ++ .l4proto = IPPROTO_TCP, ++ .priv_data_len = 0, ++ .policy = { ++ [0] = { ++ .name = "ssdp", ++ .expect_max = 8, ++ .expect_timeout = 5 * 60, ++ }, ++ }, ++}; ++ ++static struct ctd_helper tftp_helper = { ++ .name = "tftp", ++ .l4proto = IPPROTO_UDP, ++ .policy = { ++ [0] = { ++ .name = "tftp", ++ .expect_max = 1, ++ .expect_timeout = 5 * 60, ++ }, ++ }, ++}; ++ ++#include "helpers/tns.h" ++ ++static struct ctd_helper tns_helper = { ++ .name = "tns", ++ .l4proto = IPPROTO_TCP, ++ .priv_data_len = sizeof(struct tns_info), ++ .policy = { ++ [0] = { ++ .name = "tns", ++ .expect_max = 1, ++ .expect_timeout = 300, ++ }, ++ }, ++}; ++ + static void __init helper_init(void) + { ++ helper_register(&amanda_helper); ++ helper_register(&dhcpv6_helper); ++ helper_register(&ftp_helper); ++ helper_register(&mdns_helper); ++ helper_register(&rpc_helper_tcp); ++ helper_register(&rpc_helper_udp); ++ helper_register(&sane_helper); ++ helper_register(&slp_helper); ++ helper_register(&ssdp_helper_udp); ++ helper_register(&ssdp_helper_tcp); ++ helper_register(&tftp_helper); ++ helper_register(&tns_helper); ++ + nfct_extension_register(&helper); + } +-- +2.34.1 + diff --git a/SOURCES/conntrackd.conf b/SOURCES/conntrackd.conf new file mode 100644 index 0000000..3970e91 --- /dev/null +++ b/SOURCES/conntrackd.conf @@ -0,0 +1,419 @@ + +# See also: http://conntrack-tools.netfilter.org/support.html +# +# There are 3 different modes of running conntrackd: "alarm", "notrack" and "ftfw" +# +# The default package ships with a FTFW configuration, see /usr/share/doc/conntrackd* +# for example configurations for other modes. + + +# +# Synchronizer settings +# +Sync { + Mode FTFW { + # + # Size of the resend queue (in objects). This is the maximum + # number of objects that can be stored waiting to be confirmed + # via acknoledgment. If you keep this value low, the daemon + # will have less chances to recover state-changes under message + # omission. On the other hand, if you keep this value high, + # the daemon will consume more memory to store dead objects. + # Default is 131072 objects. + # + # ResendQueueSize 131072 + + # + # This parameter allows you to set an initial fixed timeout + # for the committed entries when this node goes from backup + # to primary. This mechanism provides a way to purge entries + # that were not recovered appropriately after the specified + # fixed timeout. If you set a low value, TCP entries in + # Established states with no traffic may hang. For example, + # an SSH connection without KeepAlive enabled. If not set, + # the daemon uses an approximate timeout value calculation + # mechanism. By default, this option is not set. + # + # CommitTimeout 180 + + # + # If the firewall replica goes from primary to backup, + # the conntrackd -t command is invoked in the script. + # This command schedules a flush of the table in N seconds. + # This is useful to purge the connection tracking table of + # zombie entries and avoid clashes with old entries if you + # trigger several consecutive hand-overs. Default is 60 seconds. + # + # PurgeTimeout 60 + + # Set the acknowledgement window size. If you decrease this + # value, the number of acknowlegdments increases. More + # acknowledgments means more overhead as conntrackd has to + # handle more control messages. On the other hand, if you + # increase this value, the resend queue gets more populated. + # This results in more overhead in the queue releasing. + # The following value is based on some practical experiments + # measuring the cycles spent by the acknowledgment handling + # with oprofile. If not set, default window size is 300. + # + # ACKWindowSize 300 + + # + # This clause allows you to disable the external cache. Thus, + # the state entries are directly injected into the kernel + # conntrack table. As a result, you save memory in user-space + # but you consume slots in the kernel conntrack table for + # backup state entries. Moreover, disabling the external cache + # means more CPU consumption. You need a Linux kernel + # >= 2.6.29 to use this feature. By default, this clause is + # set off. If you are installing conntrackd for first time, + # please read the user manual and I encourage you to consider + # using the fail-over scripts instead of enabling this option! + # + # DisableExternalCache Off + } + + # + # Multicast IP and interface where messages are + # broadcasted (dedicated link). IMPORTANT: Make sure + # that iptables accepts traffic for destination + # 225.0.0.50, eg: + # + # iptables -I INPUT -d 225.0.0.50 -j ACCEPT + # iptables -I OUTPUT -d 225.0.0.50 -j ACCEPT + # + Multicast { + # + # Multicast address: The address that you use as destination + # in the synchronization messages. You do not have to add + # this IP to any of your existing interfaces. If any doubt, + # do not modify this value. + # + IPv4_address 225.0.0.50 + + # + # The multicast group that identifies the cluster. If any + # doubt, do not modify this value. + # + Group 3780 + + # + # IP address of the interface that you are going to use to + # send the synchronization messages. Remember that you must + # use a dedicated link for the synchronization messages. + # + IPv4_interface 192.168.100.100 + + # + # The name of the interface that you are going to use to + # send the synchronization messages. + # + Interface eth2 + + # The multicast sender uses a buffer to enqueue the packets + # that are going to be transmitted. The default size of this + # socket buffer is available at /proc/sys/net/core/wmem_default. + # This value determines the chances to have an overrun in the + # sender queue. The overrun results packet loss, thus, losing + # state information that would have to be retransmitted. If you + # notice some packet loss, you may want to increase the size + # of the sender buffer. The default size is usually around + # ~100 KBytes which is fairly small for busy firewalls. + # + SndSocketBuffer 1249280 + + # The multicast receiver uses a buffer to enqueue the packets + # that the socket is pending to handle. The default size of this + # socket buffer is available at /proc/sys/net/core/rmem_default. + # This value determines the chances to have an overrun in the + # receiver queue. The overrun results packet loss, thus, losing + # state information that would have to be retransmitted. If you + # notice some packet loss, you may want to increase the size of + # the receiver buffer. The default size is usually around + # ~100 KBytes which is fairly small for busy firewalls. + # + RcvSocketBuffer 1249280 + + # + # Enable/Disable message checksumming. This is a good + # property to achieve fault-tolerance. In case of doubt, do + # not modify this value. + # + Checksum on + } + # + # You can specify more than one dedicated link. Thus, if one dedicated + # link fails, conntrackd can fail-over to another. Note that adding + # more than one dedicated link does not mean that state-updates will + # be sent to all of them. There is only one active dedicated link at + # a given moment. The `Default' keyword indicates that this interface + # will be selected as the initial dedicated link. You can have + # up to 4 redundant dedicated links. Note: Use different multicast + # groups for every redundant link. + # + # Multicast Default { + # IPv4_address 225.0.0.51 + # Group 3781 + # IPv4_interface 192.168.100.101 + # Interface eth3 + # # SndSocketBuffer 1249280 + # # RcvSocketBuffer 1249280 + # Checksum on + # } + + # + # You can use Unicast UDP instead of Multicast to propagate events. + # Note that you cannot use unicast UDP and Multicast at the same + # time, you can only select one. + # + # UDP { + # + # UDP address that this firewall uses to listen to events. + # + # IPv4_address 192.168.2.100 + # + # or you may want to use an IPv6 address: + # + # IPv6_address fe80::215:58ff:fe28:5a27 + + # + # Destination UDP address that receives events, ie. the other + # firewall's dedicated link address. + # + # IPv4_Destination_Address 192.168.2.101 + # + # or you may want to use an IPv6 address: + # + # IPv6_Destination_Address fe80::2d0:59ff:fe2a:775c + + # + # UDP port used + # + # Port 3780 + + # + # The name of the interface that you are going to use to + # send the synchronization messages. + # + # Interface eth2 + + # + # The sender socket buffer size + # + # SndSocketBuffer 1249280 + + # + # The receiver socket buffer size + # + # RcvSocketBuffer 1249280 + + # + # Enable/Disable message checksumming. + # + # Checksum on + # } + + # + # Other unsorted options that are related to the synchronization. + # + # Options { + # + # TCP state-entries have window tracking disabled by default, + # you can enable it with this option. As said, default is off. + # This feature requires a Linux kernel >= 2.6.36. + # + # TCPWindowTracking Off + # } +} + +# +# General settings +# +General { + # + # Set the nice value of the daemon, this value goes from -20 + # (most favorable scheduling) to 19 (least favorable). Using a + # very low value reduces the chances to lose state-change events. + # Default is 0 but this example file sets it to most favourable + # scheduling as this is generally a good idea. See man nice(1) for + # more information. + # + Nice -20 + + # + # Select a different scheduler for the daemon, you can select between + # RR and FIFO and the process priority (minimum is 0, maximum is 99). + # See man sched_setscheduler(2) for more information. Using a RT + # scheduler reduces the chances to overrun the Netlink buffer. + # + # Scheduler { + # Type FIFO + # Priority 99 + # } + + # + # Number of buckets in the cache hashtable. The bigger it is, + # the closer it gets to O(1) at the cost of consuming more memory. + # Read some documents about tuning hashtables for further reference. + # + HashSize 32768 + + # + # Maximum number of conntracks, it should be double of: + # $ cat /proc/sys/net/netfilter/nf_conntrack_max + # since the daemon may keep some dead entries cached for possible + # retransmission during state synchronization. + # + HashLimit 131072 + + # + # Logfile: on (/var/log/conntrackd.log), off, or a filename + # Default: off + # + LogFile on + + # + # Syslog: on, off or a facility name (daemon (default) or local0..7) + # Default: off + # + #Syslog on + + # + # Lockfile + # + LockFile /var/lock/conntrack.lock + + # + # Unix socket configuration + # + UNIX { + Path /var/run/conntrackd.ctl + Backlog 20 + } + + # + # Netlink event socket buffer size. If you do not specify this clause, + # the default buffer size value in /proc/net/core/rmem_default is + # used. This default value is usually around 100 Kbytes which is + # fairly small for busy firewalls. This leads to event message dropping + # and high CPU consumption. This example configuration file sets the + # size to 2 MBytes to avoid this sort of problems. + # + NetlinkBufferSize 2097152 + + # + # The daemon doubles the size of the netlink event socket buffer size + # if it detects netlink event message dropping. This clause sets the + # maximum buffer size growth that can be reached. This example file + # sets the size to 8 MBytes. + # + NetlinkBufferSizeMaxGrowth 8388608 + + # + # If the daemon detects that Netlink is dropping state-change events, + # it automatically schedules a resynchronization against the Kernel + # after 30 seconds (default value). Resynchronizations are expensive + # in terms of CPU consumption since the daemon has to get the full + # kernel state-table and purge state-entries that do not exist anymore. + # Be careful of setting a very small value here. You have the following + # choices: On (enabled, use default 30 seconds value), Off (disabled) + # or Value (in seconds, to set a specific amount of time). If not + # specified, the daemon assumes that this option is enabled. + # + # NetlinkOverrunResync On + + # + # If you want reliable event reporting over Netlink, set on this + # option. If you set on this clause, it is a good idea to set off + # NetlinkOverrunResync. This option is off by default and you need + # a Linux kernel >= 2.6.31. + # + # NetlinkEventsReliable Off + + # + # By default, the daemon receives state updates following an + # event-driven model. You can modify this behaviour by switching to + # polling mode with the PollSecs clause. This clause tells conntrackd + # to dump the states in the kernel every N seconds. With regards to + # synchronization mode, the polling mode can only guarantee that + # long-lifetime states are recovered. The main advantage of this method + # is the reduction in the state replication at the cost of reducing the + # chances of recovering connections. + # + # PollSecs 15 + + # + # The daemon prioritizes the handling of state-change events coming + # from the core. With this clause, you can set the maximum number of + # state-change events (those coming from kernel-space) that the daemon + # will handle after which it will handle other events coming from the + # network or userspace. A low value improves interactivity (in terms of + # real-time behaviour) at the cost of extra CPU consumption. + # Default (if not set) is 100. + # + # EventIterationLimit 100 + + # + # Event filtering: This clause allows you to filter certain traffic, + # There are currently three filter-sets: Protocol, Address and + # State. The filter is attached to an action that can be: Accept or + # Ignore. Thus, you can define the event filtering policy of the + # filter-sets in positive or negative logic depending on your needs. + # You can select if conntrackd filters the event messages from + # user-space or kernel-space. The kernel-space event filtering + # saves some CPU cycles by avoiding the copy of the event message + # from kernel-space to user-space. The kernel-space event filtering + # is prefered, however, you require a Linux kernel >= 2.6.29 to + # filter from kernel-space. If you want to select kernel-space + # event filtering, use the keyword 'Kernelspace' instead of + # 'Userspace'. + # + Filter From Userspace { + # + # Accept only certain protocols: You may want to replicate + # the state of flows depending on their layer 4 protocol. + # + Protocol Accept { + TCP + SCTP + DCCP + # UDP + # ICMP # This requires a Linux kernel >= 2.6.31 + # IPv6-ICMP # This requires a Linux kernel >= 2.6.31 + } + + # + # Ignore traffic for a certain set of IP's: Usually all the + # IP assigned to the firewall since local traffic must be + # ignored, only forwarded connections are worth to replicate. + # Note that these values depends on the local IPs that are + # assigned to the firewall. + # + Address Ignore { + IPv4_address 127.0.0.1 # loopback + IPv4_address 192.168.0.100 # virtual IP 1 + IPv4_address 192.168.1.100 # virtual IP 2 + IPv4_address 192.168.0.1 + IPv4_address 192.168.1.1 + IPv4_address 192.168.100.100 # dedicated link ip + # + # You can also specify networks in format IP/cidr. + # IPv4_address 192.168.0.0/24 + # + # You can also specify an IPv6 address + # IPv6_address ::1 + } + + # + # Uncomment this line below if you want to filter by flow state. + # This option introduces a trade-off in the replication: it + # reduces CPU consumption at the cost of having lazy backup + # firewall replicas. The existing TCP states are: SYN_SENT, + # SYN_RECV, ESTABLISHED, FIN_WAIT, CLOSE_WAIT, LAST_ACK, + # TIME_WAIT, CLOSED, LISTEN. + # + # State Accept { + # ESTABLISHED CLOSED TIME_WAIT CLOSE_WAIT for TCP + # } + } +} diff --git a/SOURCES/conntrackd.service b/SOURCES/conntrackd.service new file mode 100644 index 0000000..9c108d7 --- /dev/null +++ b/SOURCES/conntrackd.service @@ -0,0 +1,13 @@ +[Unit] +Description=connection tracking daemon for debugging and High Availablity +After=network-online.target +Wants=network-online.target + +[Service] +Type=simple +# rhbz#1255578 daemon will not start if lock file is left dangling +ExecStartPre=/bin/rm -f /var/lock/conntrack.lock +ExecStart=/usr/sbin/conntrackd -C /etc/conntrackd/conntrackd.conf + +[Install] +WantedBy=multi-user.target diff --git a/SPECS/conntrack-tools.spec b/SPECS/conntrack-tools.spec new file mode 100644 index 0000000..e1a757e --- /dev/null +++ b/SPECS/conntrack-tools.spec @@ -0,0 +1,291 @@ +Name: conntrack-tools +Version: 1.4.5 +Release: 10%{?dist} +Summary: Manipulate netfilter connection tracking table and run High Availability +License: GPLv2 +URL: http://conntrack-tools.netfilter.org/ +Source0: http://netfilter.org/projects/%{name}/files/%{name}-%{version}.tar.bz2 +Source1: conntrackd.service +Source2: conntrackd.conf + +Patch01: 0001-conntrackd-search-for-RPC-headers.patch +Patch02: 0002-helpers-Fix-for-warning-when-compiling-against-libti.patch +Patch03: 0003-build-remove-commented-out-macros-from-configure.ac.patch +Patch04: 0004-Makefile.am-Use-instead-of.patch +Patch05: 0005-nfct-remove-lazy-binding.patch + +BuildRequires: gcc +BuildRequires: libnfnetlink-devel >= 1.0.1, libnetfilter_conntrack-devel >= 1.0.7 +BuildRequires: libnetfilter_cttimeout-devel >= 1.0.0, libnetfilter_cthelper-devel >= 1.0.0 +BuildRequires: libmnl-devel >= 1.0.3, libnetfilter_queue-devel >= 1.0.2 +BuildRequires: libtirpc-devel systemd-devel +BuildRequires: pkgconfig bison flex +Provides: conntrack = 1.0-1 +Obsoletes: conntrack < 1.0-1 +Requires(post): systemd +Requires(preun): systemd +Requires(postun): systemd +BuildRequires: systemd +BuildRequires: make +BuildRequires: autoconf +BuildRequires: automake +BuildRequires: libtool + +%description +With conntrack-tools you can setup a High Availability cluster and +synchronize conntrack state between multiple firewalls. + +The conntrack-tools package contains two programs: +- conntrack: the command line interface to interact with the connection + tracking system. +- conntrackd: the connection tracking userspace daemon that can be used to + deploy highly available GNU/Linux firewalls and collect + statistics of the firewall use. + +conntrack is used to search, list, inspect and maintain the netfilter +connection tracking subsystem of the Linux kernel. +Using conntrack, you can dump a list of all (or a filtered selection of) +currently tracked connections, delete connections from the state table, +and even add new ones. +In addition, you can also monitor connection tracking events, e.g. +show an event message (one line) per newly established connection. + +%prep +%autosetup -p1 + +%build +autoreconf -fi +rm -Rf autom4te*.cache config.h.in~ +%configure --disable-static --enable-systemd +%make_build +chmod 644 doc/sync/primary-backup.sh +rm -f doc/sync/notrack/conntrackd.conf.orig doc/sync/alarm/conntrackd.conf.orig doc/helper/conntrackd.conf.orig + +%install +%make_install +find %{buildroot} -type f -name "*.la" -exec rm -f {} ';' +mkdir -p %{buildroot}%{_sysconfdir}/conntrackd +install -d -m 0755 %{buildroot}%{_unitdir} +install -m 0644 %{SOURCE1} %{buildroot}%{_unitdir}/ +install -m 0644 %{SOURCE2} %{buildroot}%{_sysconfdir}/conntrackd/ + +%files +%license COPYING +%doc AUTHORS TODO doc +%dir %{_sysconfdir}/conntrackd +%config(noreplace) %{_sysconfdir}/conntrackd/conntrackd.conf +%{_unitdir}/conntrackd.service +%{_sbindir}/conntrack +%{_sbindir}/conntrackd +%{_sbindir}/nfct +%{_mandir}/man5/* +%{_mandir}/man8/* +%dir %{_libdir}/conntrack-tools +%{_libdir}/conntrack-tools/* + +%post +%systemd_post conntrackd.service + +%preun +%systemd_preun conntrackd.service + +%postun +%systemd_postun conntrackd.service + +%changelog +* Tue Jan 25 2022 Phil Sutter - 1.4.5-10 +- Drop lazy binding via patch from upstream +- Add patches to fix for failing RPC header search +- Enable hardened builds again +- Fix source compile in tests.yml + +* Mon Aug 09 2021 Mohan Boddu - 1.4.5-9 +- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags + Related: rhbz#1991688 + +* Thu Apr 15 2021 Mohan Boddu - 1.4.5-8 +- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937 + +* Tue Jan 26 2021 Fedora Release Engineering - 1.4.5-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Mon Jul 27 2020 Fedora Release Engineering - 1.4.5-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Tue Jan 28 2020 Fedora Release Engineering - 1.4.5-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Wed Jul 24 2019 Fedora Release Engineering - 1.4.5-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Thu Jan 31 2019 Fedora Release Engineering - 1.4.5-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Fri Dec 14 2018 Paul Wouters - 1.4.5-2 +- Disable hardened build to really fix rhbz#1413408 + +* Mon Dec 10 2018 Paul Wouters - 1.4.5-1 +- Resolves: rhbz#1574091 conntrack-tools-1.4.5 is available +- Resolves: rhbz#1413408 ct_helper_ftp not working + (I've reduced the hardening to use -z,lazy) +- Eanbled systemd support +- Bumped required libnetfilter_conntrack-devel to 1.0.7 +- fixup harmless but broken mkdir in spec file +- Don't override CPPFLAGS and LIBS, instead fixup src/helpers/Makefile + +* Thu Jul 12 2018 Fedora Release Engineering - 1.4.4-8 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Thu Apr 12 2018 Orion Poplawski - 1.4.4-7 +- Use libtirpc +- Use %%license + +* Wed Feb 07 2018 Fedora Release Engineering - 1.4.4-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Wed Aug 02 2017 Fedora Release Engineering - 1.4.4-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Wed Jul 26 2017 Fedora Release Engineering - 1.4.4-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Wed Feb 22 2017 Paul Wouters - 1.4.4-3 +- Add upstream patches (free pktb after use, nat_tuple leak) + +* Fri Feb 10 2017 Fedora Release Engineering - 1.4.4-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Thu Sep 22 2016 Paul Wouters - 1.4.4-1 +- Updated to 1.4.4 (rhbz#1370668) +- Include new man5 pages + +* Wed Apr 20 2016 Paul Wouters - 1.4.3-1 +- Resolves: rhbz#1261220 1.4.3 is available +- Update source url +- Remove incorporated patches + +* Wed Feb 03 2016 Fedora Release Engineering - 1.4.2-11 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Fri Aug 21 2015 Paul Wouters - 1.4.2-10 +- Resolves: 1255578 - conntrackd could neither be started nor be stopped + +* Tue Aug 18 2015 Paul Wouters - 1.4.2-9 +- Resolves: rhbz#CVE-2015-6496, rhbz#1253757 +- Fold in upstream patches since 1.4.2 release up to git 900d7e8 +- Fold in upstream patch set of 2015-08-18 for coverity issues + +* Wed Jun 17 2015 Fedora Release Engineering - 1.4.2-8 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Mon Jan 12 2015 Paul Komkoff - 1.4.2-7 +- bz#1181119 - wait for network to be on before starting conntrackd + +* Sun Jan 11 2015 Paul Komkoff - 1.4.2-6 +- bz#998105 - remove patch residues from doc + +* Sat Aug 16 2014 Fedora Release Engineering - 1.4.2-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Sat Jun 07 2014 Fedora Release Engineering - 1.4.2-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Sat Dec 21 2013 Paul Komkoff - 1.4.2-3 +- rebuilt + +* Sat Sep 7 2013 Paul P. Komkoff Jr - 1.4.2-2 +- bz#850067 + +* Sat Sep 7 2013 Paul P. Komkoff Jr - 1.4.2-1 +- new upstream version + +* Sat Aug 03 2013 Fedora Release Engineering - 1.4.0-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild + +* Fri Feb 08 2013 Paul Komkoff - 1.4.0-2 +- fix bz#909128 + +* Mon Nov 26 2012 Paul P. Komkoff Jr - 1.4.0-1 +- new upstream version + +* Tue Jul 24 2012 Paul P. Komkoff Jr - 1.2.1 +- new upstream version + +* Wed Jul 18 2012 Fedora Release Engineering - 1.0.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Mon May 07 2012 Paul Wouters - 1.0.1-1 +- Updated to 1.0.1 +- Added daemon using systemd and configuration file +- Removed legacy spec requirements +- Patch for: parse.c:240:34: error: 'NULL' undeclared + +* Thu Jan 12 2012 Fedora Release Engineering - 1.0.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Thu May 5 2011 Paul P. Komkoff Jr - 1.0.0 +- new upstream version + +* Wed Feb 09 2011 Fedora Release Engineering - 0.9.15-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Fri Nov 19 2010 Paul P. Komkoff Jr - 0.9.15-1 +- new upstream version + +* Thu Mar 25 2010 Paul P. Komkoff Jr - 0.9.14-1 +- update, at last + +* Tue Nov 10 2009 Paul P. Komkoff Jr - 0.9.13-2 +- failed to properly commit the package :( + +* Tue Oct 13 2009 Paul P. Komkoff Jr - 0.9.13-1 +- new upstream version + +* Fri Jul 24 2009 Fedora Release Engineering - 0.9.12-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Sun May 24 2009 Paul P. Komkoff Jr - 0.9.12-3 +- new upstream version + +* Sun May 24 2009 Paul P. Komkoff Jr - 0.9.12-2 +- versioning screwup + +* Sun May 24 2009 Paul P. Komkoff Jr - 0.9.12-1 +- new upstream version + +* Tue Feb 24 2009 Fedora Release Engineering - 0.9.9-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild + +* Tue Jan 13 2009 Paul P. Komkoff Jr - 0.9.9-1 +- new upstream version + +* Sun Oct 26 2008 Paul P. Komkoff Jr - 0.9.8-1 +- new upstream version +- remove rollup patch + +* Wed Jul 16 2008 Paul P. Komkoff Jr - 0.9.7-2 +- fix Patch0/%%patch. + +* Wed Jul 16 2008 Paul P. Komkoff Jr - 0.9.7-1 +- new upstream version + +* Sat Feb 23 2008 Paul P. Komkoff Jr - 0.9.6-0.1.svn7382 +- new version from svn + +* Fri Feb 22 2008 Paul P. Komkoff Jr - 0.9.5-5 +- fix the PATH_MAX-related compilation problem + +* Tue Feb 19 2008 Fedora Release Engineering - 0.9.5-4 +- Autorebuild for GCC 4.3 + +* Tue Oct 23 2007 Paul P. Komkoff Jr - 0.9.5-3 +- review fixes + +* Sun Oct 21 2007 Paul P. Komkoff Jr - 0.9.5-2 +- review fixes + +* Fri Oct 19 2007 Paul P. Komkoff Jr - 0.9.5-1 +- new upstream version + +* Sun Jul 22 2007 Paul P. Komkoff Jr - 0.9.4-1 +- replace conntrack with conntrack-tools